9

I have seen several ways to set up external provider support for authentication in ASP.NET Web API using Identity, however all of them rely on a cookie, that is set after the user is successfully authorized by the external provider (callled "AspNet.External"), which has to be then forwarded to the token endpoint on the Web API itself.

Is there any way to circumvent this and use external authentication with ASP.NET Web API without the need to use cookies? The reason for this concern is that I would like to integrate this authentication in my mobile app, but the user can disable cookies any time, rendering my app unusable.

Improve this question
7
  • In regular asp.net project, you can use cookieless session using 'url' , i.e. the unique identifier to identify a session is tagged to URL as querystring. I hope if you can get such example in web api, that will solve your purpose. Commented Feb 4, 2015 at 18:54
  • It's unclear to me what you're asking here. Every request has to identify itself somehow, and that is usually with a cookie because this is the most secure way to do it. You can use a querystring parameter, but that is highly insecure because querystrings are recorded in routing and proxy logs, as well as server logs. Commented Feb 4, 2015 at 19:01
  • Yes, I understand that the request need a way to be identified, but I am not sure if a cookie is the best way to do it, because with disabled cookies the authentication will just not work. Or will the cookies be temporarily stored in the WebView even if they are actually disabled? My point is just to make sure the authentication will work on all devices. Commented Feb 7, 2015 at 8:31
  • 2
    I agree with MZetko that there isn't any information about this in the internet. I was able to use refresh tokens together with external logins, and without using cookies, using as a starting point this post from Taiseer Joudeh: bitoftech.net/2014/07/16/… but my solution was pretty ugly because I had to do a lot of modifications, so I look forward for a response to this question too. (P.D.: the client of my Web API is an angular app, not a mobile one). Commented Feb 7, 2015 at 18:48
  • @AugustoBarreto Thanks for referencing my post, but in all cases the authentication will take place in user mobile browser and the consent will be in the browser not your mobile application, it is highly unlikely that user will turn off cookies in the mobile browser. I guess there is no workout for this. Can you share with me how you enabled refresh token with social logins? I guess the implementation was complicated, right? Commented Feb 9, 2015 at 8:43

1 Answer 1

Reset to default
7
+50

What about using OAuth2?

  1. Build a oauth2 server with https://www.nuget.org/packages/Microsoft.Owin.Security.OAuth/ ,
  2. Set your server web api app as resource server, and enable oauth bearer authentication, which use Authentication header , not cookie.
  3. After get access_token from oauth2 server, set the Authentication header for your client request.

you can check out the code here:

https://github.com/beginor/owin-samples

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I was thinking an easier and simpler solution should be available. This would mean an almost clean from the ground implementation...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.